@@ -3,39 +3,41 @@ | |||||
# | # | ||||
# Insert additional firewall rules to allow required services to function | # Insert additional firewall rules to allow required services to function | ||||
# Insert them all on rule_num 5, and insert them in reverse order here: | # Insert them all on rule_num 5, and insert them in reverse order here: | ||||
- name: Allow HTTPS on port {{ item }} | |||||
- name: Allow SSH | |||||
iptables: | iptables: | ||||
chain: INPUT | chain: INPUT | ||||
action: used_iptabples_action | |||||
rule_num: 5 | |||||
protocol: tcp | protocol: tcp | ||||
destination_port: {{ item }} | |||||
destination_port: 22 | |||||
ctstate: NEW | ctstate: NEW | ||||
syn: match | syn: match | ||||
jump: ACCEPT | jump: ACCEPT | ||||
comment: Accept new HTTPS ({{ item }}) connections | |||||
with_items: | |||||
- 1443 | |||||
- 443 | |||||
comment: Accept new SSH connections | |||||
become: yes | become: yes | ||||
- name: Allow HTTP on port {{ item }} | |||||
- name: "Allow HTTP on port {{ item }}" | |||||
iptables: | iptables: | ||||
chain: INPUT | chain: INPUT | ||||
action: used_iptabples_action | |||||
rule_num: 5 | |||||
protocol: tcp | protocol: tcp | ||||
destination_port: {{ item }} | |||||
destination_port: "{{ item }}" | |||||
ctstate: NEW | ctstate: NEW | ||||
syn: match | syn: match | ||||
jump: ACCEPT | jump: ACCEPT | ||||
comment: Accept new HTTP ({{ item }}) connections | |||||
comment: "Accept new HTTP ({{ item }}) connections" | |||||
with_items: | with_items: | ||||
- 1080 | |||||
- 80 | - 80 | ||||
- 1080 | |||||
become: yes | become: yes | ||||
- name: Restart iptables | |||||
service: | |||||
name: netfilter-persistent | |||||
state: restarted | |||||
- name: "Allow HTTPS on port {{ item }}" | |||||
iptables: | |||||
chain: INPUT | |||||
protocol: tcp | |||||
destination_port: "{{ item }}" | |||||
ctstate: NEW | |||||
syn: match | |||||
jump: ACCEPT | |||||
comment: "Accept new HTTPS ({{ item }}) connections" | |||||
with_items: | |||||
- 443 | |||||
- 1443 | |||||
become: yes |
@@ -16,3 +16,7 @@ | |||||
- name: Run algo playbook to install algo | - name: Run algo playbook to install algo | ||||
shell: /root/ansible/roles/algo/algo/install_algo.sh | shell: /root/ansible/roles/algo/algo/install_algo.sh | ||||
tags: algo_related | tags: algo_related | ||||
# Algo installation clears out iptable rules. Add needed bubble rules back: | |||||
- include: algo_firewall.yml | |||||
tags: algo_related |
@@ -25,9 +25,10 @@ | |||||
src: "supervisor_bubble.conf.j2" | src: "supervisor_bubble.conf.j2" | ||||
dest: /etc/supervisor/conf.d/bubble.conf | dest: /etc/supervisor/conf.d/bubble.conf | ||||
- include: firewall.yml | |||||
vars: | |||||
used_iptabples_action: "{{ 'append' if restore_key is defined else 'insert' }}" | |||||
- name: Restart iptables | |||||
service: | |||||
name: netfilter-persistent | |||||
state: restarted | |||||
# We cannot receive notifications until nginx is running, so start bubble API as the very last step | # We cannot receive notifications until nginx is running, so start bubble API as the very last step | ||||
- name: reload supervisord | - name: reload supervisord | ||||
@@ -34,8 +34,6 @@ | |||||
- name: Allow MITM private port | - name: Allow MITM private port | ||||
iptables: | iptables: | ||||
chain: INPUT | chain: INPUT | ||||
action: insert | |||||
rule_num: 5 | |||||
protocol: tcp | protocol: tcp | ||||
destination_port: 8888 | destination_port: 8888 | ||||
ctstate: NEW | ctstate: NEW | ||||
@@ -29,30 +29,30 @@ | |||||
become: yes | become: yes | ||||
when: fw_enable_ssh | when: fw_enable_ssh | ||||
- name: Allow HTTP on port {{ item }} | |||||
- name: "Allow HTTP on port {{ item }}" | |||||
iptables: | iptables: | ||||
chain: INPUT | chain: INPUT | ||||
protocol: tcp | protocol: tcp | ||||
destination_port: {{ item }} | |||||
destination_port: "{{ item }}" | |||||
ctstate: NEW | ctstate: NEW | ||||
syn: match | syn: match | ||||
jump: ACCEPT | jump: ACCEPT | ||||
comment: Accept new HTTP ({{ item }}) connections | |||||
comment: "Accept new HTTP ({{ item }}) connections" | |||||
with_items: | with_items: | ||||
- 80 | - 80 | ||||
- 1080 | - 1080 | ||||
become: yes | become: yes | ||||
when: fw_enable_http | when: fw_enable_http | ||||
- name: Allow HTTPS on port {{ item }} | |||||
- name: "Allow HTTPS on port {{ item }}" | |||||
iptables: | iptables: | ||||
chain: INPUT | chain: INPUT | ||||
protocol: tcp | protocol: tcp | ||||
destination_port: {{ item }} | |||||
destination_port: "{{ item }}" | |||||
ctstate: NEW | ctstate: NEW | ||||
syn: match | syn: match | ||||
jump: ACCEPT | jump: ACCEPT | ||||
comment: Accept new HTTPS ({{ item }}) connections | |||||
comment: "Accept new HTTPS ({{ item }}) connections" | |||||
with_items: | with_items: | ||||
- 443 | - 443 | ||||
- 1443 | - 1443 | ||||